Dangerous how? Create a CAA record which pins your CA and only allow dns01 challenge. Problem solved, a BGP hijack can't issue a valid certificate for your site.